Our ongoing commitment to security

We support the security needs of our members and the library community through regular communications and transparency about our processes, goals, certifications, and principles.
At OCLC, we have robust controls in place to maintain strict security for data and services in the cloud. Our governance processes are focused on compliance and audit standards to ensure access to data is always in secure, controlled environments.
Strategic security goals
- Protect information and systems by focusing on safeguarding the confidentiality, integrity, availability, and resiliency of data and critical information systems to ensure our ability to deliver services to customers and employees.
- Reduce security risk by creating the culture, frameworks, and processes required to address security risks.
- Enhance security capabilities by developing the practices, processes, workforce, and overall security capabilities required to protect OCLC from security threats and ensure continual improvement to face tomorrow’s security challenges. We do this while aligning security priorities with business needs and strategies.
- Approach security at the enterprise level, enhancing security across the entire organization through the establishment of company-wide security programs, best practices, common frameworks, and information security policies.
- Lead the library community as a partner for helping libraries, vendors, publishers, and other partners in the sector enhance their security through workshops, educational opportunities, and collaborative opportunities.
Certifications and attestations

FedRAMP: US Federal Government approved cloud provider marketplace
The Federal Risk and Authorization Management Program (FedRAMP) is a United States federal government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP mandates a core set of processes to ensure effective, repeatable cloud security for cloud service offerings that hold federal government data. OCLC maintains a FedRAMP Li-SAAS authority to operate (ATO).

StateRAMP: US State and Local Government approved cloud provider marketplace
The State Risk and Authorization Management Program (StateRAMP) is a United States state and local government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. StateRAMP mandates a core set of security standards based upon the National Institute of Standards and Technology (NIST) Special Publication 800-53 security and privacy controls for information systems and organizations. OCLC maintains a ‘Ready’ security status and is a member of the StateRAMP Authorized Vendor List.

ISO/IEC 27001
Information security management standard ISO/IEC 27001 is a security standard that formally specifies an Information Security Management System (ISMS) that is intended to bring information security under explicit management control. It mandates requirements that define how to implement, monitor, maintain, and continually improve the ISMS. This certification helps OCLC comply with numerous regulatory and legal requirements that relate to the security of information.

ISO/IEC 27018
Personally Identifiable Information (PII) data protection standard ISO/IEC 27018 is an international code of practice for cloud privacy. Based on EU data-protection laws, it gives specific guidance to cloud service providers (CSPs) acting as processors of personally identifiable information (PII) on assessing risks and implementing state-of-the-art controls for protecting PII.

ISO/IEC 27701
Privacy Information Management System (PIMS) standard ISO/IEC 27701 is an international privacy framework for the protection of personally identifiable information (PII). The standard covers data protection requirements from data protection regulations such as the General Data Protection Regulation (GDPR).

SOC 2: Security, availability, processing integrity and confidentiality standard
The SOC 2 is a report based on the Auditing Standards Board of the American Institute of Certified Public Accountants' (AICPA) existing Trust Services Criteria (TSC). The purpose of this audit is to evaluate an organization’s information systems relevant to security, availability, processing integrity, and confidentiality.
Certification on file

Cloud Security Alliance: Cloud security and privacy standard
The CSA Security Trust Assurance and Risk program promotes the use of best practices for providing security assurance within cloud computing. OCLC participates in the voluntary CSA Security, Trust & Assurance Registry (STAR) to document compliance with CSA- published security and privacy controls.

EU Cybersecurity Act: European cybersecurity standard
The EU Cybersecurity Act establishes a cybersecurity framework for digital products and services. The cybersecurity framework defines required security controls companies must follow when doing business in the EU.
OCLC undergoes an annual ISO 27001 audit to demonstrate compliance with this regulation

Italy AGID: Italian approved cloud provider marketplace
The Agency for Digital Italy (AgID) coordinates the policies in the field of innovation and actively supports the spread of information and communication technologies in favor of Public Administration digitization and modernization. All its guidelines and its actions are developed at National and European level in a unitary and consistent perspective to federate the technological infrastructure, to ensure safety and reliability to the preservation and management of public data and to provide integrated and shared high-quality services.

Spain Esquema Nacional de Seguridad (ENS): Spain cybersecurity standard
The ENS accreditation scheme has been developed by the Ministry of Finance and Public Administration and the CCN (National Cryptologic Centre). This scheme is comprised of basic principles and minimum requirements necessary for the adequate protection of information.
Certification on file

United Kingdom Cyber Essentials: UK cybersecurity standard
Cyber Essentials is a UK government-backed scheme designed to help organizations assess and mitigate risks from common cyber security threats to their IT systems. The Cyber Essentials scheme is a cybersecurity standard that identifies security controls for an organization to have in place within their IT systems. Cyber Essentials scheme is a requirement for all UK government suppliers handling any personal data.
All of these are regularly assessed by third parties and/or independent auditors, and result in a certification, audit report, or confirmation of compliance (unless otherwise specified). Compliance alignments and frameworks include published requirements for specific purposes.
Strategic security principles
At OCLC, we believe that all our efforts to improve security must:
- Properly reflect the borderless, interconnected, and global nature of today’s environment
- Be based on risk management
- Involve all OCLC employees
- Adapt rapidly to emerging threats, technologies, and business models
- Focus on bad actors and their threats
Meet OCLC's information security experts
OCLC’s Global Security Services Team
OCLC’s Global Security Services team is comprised of a Security Governance Program Director, Information Security Manager, Security Architects, Information Security Engineers, Security Compliance and Governance Analysts. In addition, OCLC has appointed a Data Protection Officer and these professionals are dedicated to the security and protection of personal and institutional data associated with OCLC's customers.
Global Security Services Team members hold a variety of industry-recognized, professional certifications, such as ISC2 Certified Information System Security Professional (CISSP), ISACA Certified Information Security Auditor, IAPP Certified Privacy Professional, and others. Our data governance body reports to executive management and our Incident Response Team is trained in incident response and forensics. All OCLC staff members undergo annual training sessions and periodic testing as part of our security awareness program.
Information Security in Europe, Africa, Asia and the Pacific
Mira Golsteijn is OCLC’s Information Security Manager for its Europe, the Middle East and Africa (EMEA) and Asia Pacific (APAC) regions. She is a subject matter expert for security programs in these regions and is fully committed to the security and protection of personal and institutional data.
Have any questions?
Contact OCLC's global information security team and member of our team will reach out.